Re: [PR] RANGER-3174: Support for strong cryptography algorithm-PBKDF2WithHmacSHA256 [ranger]

Wed, 18 Jun 2025 23:03:32 -0700 


vikaskr22 commented on code in PR #593:
URL: https://github.com/apache/ranger/pull/593#discussion_r2156189930


##########
kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java:
##########
@@ -171,16 +175,22 @@ public void init() {
 
         XMLUtils.loadConfig(DBKS_SITE_XML, serverConfigProperties);
 
-        defaultMdAlgo  = getConfig("ranger.keystore.file.type", 
KeyStore.getDefaultType()).equalsIgnoreCase("bcfks") ? "SHA-512" : "MD5";
-        mkCipher       = 
getConfig("ranger.kms.service.masterkey.password.cipher", DEFAULT_MK_CIPHER);
-        mkKeySize      = 
getIntConfig("ranger.kms.service.masterkey.password.size", DEFAULT_MK_KeySize);
-        saltSize       = 
getIntConfig("ranger.kms.service.masterkey.password.salt.size", 
DEFAULT_SALT_SIZE);
-        salt           = 
getConfig("ranger.kms.service.masterkey.password.salt", DEFAULT_SALT);
-        pbeAlgo        = 
getConfig("ranger.kms.service.masterkey.password.encryption.algorithm", 
DEFAULT_CRYPT_ALGO);
-        mdAlgo         = 
getConfig("ranger.kms.service.masterkey.password.md.algorithm", defaultMdAlgo);
-        iterationCount = 
getIntConfig("ranger.kms.service.masterkey.password.iteration.count", 
DEFAULT_ITERATION_COUNT);
-        paddingString  = Joiner.on(",").skipNulls().join(mkCipher, mkKeySize, 
saltSize, pbeAlgo, mdAlgo, iterationCount, salt);
-
+        isFipsEnabled       = getConfig("ranger.keystore.file.type", 
KeyStore.getDefaultType()).equalsIgnoreCase("bcfks");
+        defaultMdAlgo       = isFipsEnabled ? "SHA-512" : "MD5";

Review Comment:
   @rameeshm , Agree. In fact this is the plan but not only for MessageDigest.
   If you see,  default is  **SHA-512** for FIPS cluster.  I am working on one 
more JIRA where KMS will will use all FIPS compliant algorithm and related 
parameters for all environments, not only for FIPS.
   Some examples, like, the way we generate Secret/IV etc.
   
   To answer this question, default is SHA-512 for FIPS. MD5 is for non-fips.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@ranger.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to